Prepared statements are used to sanitize your input, and to do that you can use :foowithout any single quotes within the SQL to bind variables, and then in the execute() function you pass in an array of the variables you defined in the SQL statement.

You may also use ? instead of :foo and then pass in an array of just the values to input like so;